China, cyber-security, deterrence, forced technology transfer, hacking, intelligence, Michael Rogers, multinational companies, National Security Agency, Our So-Called Foreign Policy, technology transfer
Here’s another noteworthy aspect of the timing of President Obama’s Executive Amnesty announcement last night: It almost completely obscured the at least comparably important hearings held by the House Intelligence Committee about cyber threats to U.S. national security.
The testimony and other statements from Adm. Michael Rogers, head of the National Security Agency and the nation’s cyber-security operations, made so many critical points and raised so many critical questions that I hardly know where to begin.
News reports focused on Rogers’ warning – ostensibly the first by a U.S. government official – that China and other governments are now able to launch truly destructive attacks on America’s energy grid and other vital economic systems, and are currently conducting the electronic snooping needed to pave the way for such assaults.
At the same time, such fears have already become widespread. I’m more interested now in Rogers’ views on policy responses and their implications – some of them confusing, some of them scary.
Principally, I was pleased to see Rogers argue that the United States can’t simply stay on the defensive in this cyber cold war. No security strategy can be entirely passive and reactive unless, as is the case with nuclear weapons, the nation possesses retaliatory capabilities powerful enough to deter effectively.
And this is where I start to worry. Since the United States is widely described as the world’s predominant technology power, I’ve often wondered why Washington hasn’t responded to actual cyber attacks from China and other sources with threats (communicated in private, of course) to respond by, say shutting down major cities for a week or so, and by promising to do worse unless these foreign powers stand down.
One possible conclusion is that this simply isn’t the Obama administration’s style. Rogers actually fed this fear with his proposal for a global cyber “code of conduct” that would ostensibly prevent or damp down conflict in this realm. As with other such proposals in arms control and other sectors, this notion ignores the reality that such agreements can only succeed if a strong enough global consensus on these matters exists in the first place. That foreign cyber attacks are taking place reveals how fanciful that belief is.
But another possibility, which is much more frightening, is that Washington has turned the other cheek because it simply has no choice – i.e., that it lacks that deterrent capability in cyber warfare. Not that I – or anyone outside the American intelligence community – can be certain of such top secret matters. Yet the nation’s inability to turn its technology edge into an effective cyber defense capability or deterrent could mean either that its cyber security strategy has been a dismal failure, or that this edge isn’t so impressive – if it exists at all.
At the same time, it’s important to note that Rogers’ call for creating offensive cyber capabilities and all that it implies about the global cyber security balance has been belied by reports – based on leaked intelligence community documents – that many American cyber attacks have in fact been launched.
That would be reassuring – although it also would reveal that such moves have been inadequate so far to deter many foreign attacks. (In theory, of course, they might be deterring much worse attacks.) Yet I would be feeling much better if Rogers – and other intelligence and security officials – publicly addressed a major shortcoming in America’s cyber security strategy: the pass it’s given to U.S. multinational companies’ huge programs to train foreign technology professionals and to their substantial transfer of hacking-relevant knowhow to foreign economies.
This gaping hole in the bucket isn’t directly to blame for Russian and Iranian hacking prowess – although any such overseas aid becomes that much likelier to find its way to unfriendly countries. But as I’ve reported, it bears substantial blame for boosting China’s capabilities.
Again, because such matters are (righty) classified, it’s difficult to know what, if anything, Washington is doing to address this problem. But the continuation of such tech transfer, both voluntary and extorted, makes clear that any efforts being made need to be strengthened greatly, and that American cyber strategy will remain dangerously deficient if it continues to lack a serious denial dimension.